From patchwork Wed Dec 8 17:10:29 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 4910 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4J8NwN2kqJz3wcZ for ; Wed, 8 Dec 2021 17:10:44 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4J8NwL4StQz3xM; Wed, 8 Dec 2021 17:10:42 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4J8NwL2VbPz2ytd; Wed, 8 Dec 2021 17:10:42 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4J8NwK4yf4z2xGC for ; Wed, 8 Dec 2021 17:10:41 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4J8NwJ2zzkz25; Wed, 8 Dec 2021 17:10:40 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1638983440; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=WL8hL9UxrrfbqRQ3SEjWjDNkH4BuJuNua6LlpfZxFSM=; b=lX8OpwqzoTVb0xuw7OyQyI3GsHlsDsIOax2N2UV1jIRxT7gTZBPzw0mDzlDPCfv8alPo0k ZnmkG7JJyBi9lGCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1638983440; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=WL8hL9UxrrfbqRQ3SEjWjDNkH4BuJuNua6LlpfZxFSM=; b=j6hHnHk7BgRjDe9/fAMNfP6Ps+eHO6pPuQEz45WOKKhH86Rc+A7TcB5QocvVs188JyZ2qX UsH6qe3IgNQgf8uEENtQF6wubtRDrbFhDmPAMRvpUD4CNZ8gYWsKDBRvCLVBZV1y55sIMc YrtaBYd/luLVHRMQiAnZNe8M9Z6AlDmBWe7vZlpjyy/bKezmiehX9mhX6BRaP2ZOpYLv8O xEtfSOQJI83W+amGp4q6UbDIe2fE6i8jTzDXPdzfjkmERFSt5luObepgfzCrqdgvo98VVN R3ZHfI9FCi2x+DzBGiFrd7OmZldbNmLWhrB8hkD7ZRz7GcIcGc8A5QLkTBHRNw== From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH 1/3] suricata: Update config file. Date: Wed, 8 Dec 2021 18:10:29 +0100 Message-Id: <20211208171031.308639-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" * This will enable swf decompression. * Enable modbus parser. * Enable dnp3 parser. * Enable enip parser. Signed-off-by: Stefan Schantl --- config/suricata/suricata.yaml | 84 +++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 0ad36e705..49921db86 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -525,6 +525,20 @@ app-layer: # auto will use http-body-inline mode in IPS mode, yes or no set it statically http-body-inline: auto + # Decompress SWF files. + # 2 types: 'deflate', 'lzma', 'both' will decompress deflate and lzma + # compress-depth: + # Specifies the maximum amount of data to decompress, + # set 0 for unlimited. + # decompress-depth: + # Specifies the maximum amount of decompressed data to obtain, + # set 0 for unlimited. + swf-decompression: + enabled: yes + type: both + compress-depth: 0 + decompress-depth: 0 + # Take a random value for inspection sizes around the specified value. # This lower the risk of some evasion technics but could lead # detection change between runs. It is set to 'yes' by default. @@ -539,6 +553,76 @@ app-layer: double-decode-path: no double-decode-query: no + # Can disable LZMA decompression + #lzma-enabled: yes + # Memory limit usage for LZMA decompression dictionary + # Data is decompressed until dictionary reaches this size + #lzma-memlimit: 1mb + # Maximum decompressed size with a compression ratio + # above 2048 (only LZMA can reach this ratio, deflate cannot) + #compression-bomb-limit: 1mb + # Maximum time spent decompressing a single transaction in usec + #decompression-time-limit: 100000 + + server-config: + + #- apache: + # address: [192.168.1.0/24, 127.0.0.0/8, "::1"] + # personality: Apache_2 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + #- iis7: + # address: + # - 192.168.0.0/24 + # - 192.168.10.0/24 + # personality: IIS_7_0 + # # Can be specified in kb, mb, gb. Just a number indicates + # # it's in bytes. + # request-body-limit: 4096 + # response-body-limit: 4096 + # double-decode-path: no + # double-decode-query: no + + # Note: Modbus probe parser is minimalist due to the poor significant field + # Only Modbus message length (greater than Modbus header length) + # And Protocol ID (equal to 0) are checked in probing parser + # It is important to enable detection port and define Modbus port + # to avoid false positive + modbus: + # How many unreplied Modbus requests are considered a flood. + # If the limit is reached, app-layer-event:modbus.flooded; will match. + #request-flood: 500 + + enabled: yes + detection-ports: + dp: 502 + # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it + # is recommended to keep the TCP connection opened with a remote device + # and not to open and close it for each MODBUS/TCP transaction. In that + # case, it is important to set the depth of the stream reassembling as + # unlimited (stream.reassembly.depth: 0) + + # Stream reassembly size for modbus. By default track it completely. + stream-depth: 0 + + # DNP3 + dnp3: + enabled: yes + detection-ports: + dp: 20000 + + # SCADA EtherNet/IP and CIP protocol support + enip: + enabled: yes + detection-ports: + dp: 44818 + sp: 44818 + ntp: enabled: yes dhcp: From patchwork Wed Dec 8 17:10:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 4911 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4J8NwP6G31z3wcZ for ; Wed, 8 Dec 2021 17:10:45 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4J8NwM3RTqztj; Wed, 8 Dec 2021 17:10:43 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4J8NwM38rWz30DH; Wed, 8 Dec 2021 17:10:43 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4J8NwL3DCfz2ymZ for ; Wed, 8 Dec 2021 17:10:42 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4J8NwL0zdPznF; Wed, 8 Dec 2021 17:10:42 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1638983442; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=plbgOl5hyg3E8s6/bXBVPk6iwD2cAoTRdIfzbGKAs0I=; b=0Rej4N5jL7ooUpaew5vC80Fyifw1on5GnA1ZOIJ5pS7GSSw+M9akkbn7JVjcMHpNTCZ3cZ 2MmizU2j5RLC51Dw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1638983442; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=plbgOl5hyg3E8s6/bXBVPk6iwD2cAoTRdIfzbGKAs0I=; b=h8mxSogjUjXS9I+ndFDPZ/z5KxFy+r/4PSHQiB1LUx3vwbuDKJWbMe8X919YxUVJpVLS06 /PRAI7IqGc7brhG7+YSxgz6zT3oh2JLPbfg/sZ75RD37IotBaZjshrV+JJumTaniPomBUf taO5aqKiZCMaYwZzxjATimkbBuQ1wAgC3q9ea+WmTENJOYQMM1obZ2LvFrkIY6DyjXwtR/ 3GB1jqu6CLagoDymKPr/oDUyrGEAytubc/ZGUpSy3LfRN3sdcyaMcs2xyVDnUR3YZ3gtml +ynJjatrDHTazr2CjgvPLfn+/DVquX30IGDKONmJmVK0Oa3QZE5uA8kkxM5+sA== From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH 2/3] suricata: Move default loaded rulefiles to own included file. Date: Wed, 8 Dec 2021 18:10:30 +0100 Message-Id: <20211208171031.308639-2-stefan.schantl@ipfire.org> In-Reply-To: <20211208171031.308639-1-stefan.schantl@ipfire.org> References: <20211208171031.308639-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Signed-off-by: Stefan Schantl Acked-by: Michael Tremer Reviewed-by: Peter Müller --- config/rootfiles/common/suricata | 1 + config/suricata/suricata-default-rules.yaml | 22 ++++++++++++++++++ config/suricata/suricata.yaml | 25 ++++----------------- lfs/suricata | 3 +++ 4 files changed, 30 insertions(+), 21 deletions(-) create mode 100644 config/suricata/suricata-default-rules.yaml diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata index ff31ec7d2..41193f4ea 100644 --- a/config/rootfiles/common/suricata +++ b/config/rootfiles/common/suricata @@ -37,6 +37,7 @@ usr/share/suricata #usr/share/suricata/rules/smtp-events.rules #usr/share/suricata/rules/stream-events.rules #usr/share/suricata/rules/tls-events.rules +var/ipfire/suricata/suricata-default-rules.yaml var/lib/suricata var/lib/suricata/classification.config var/lib/suricata/reference.config diff --git a/config/suricata/suricata-default-rules.yaml b/config/suricata/suricata-default-rules.yaml new file mode 100644 index 000000000..d13aa622a --- /dev/null +++ b/config/suricata/suricata-default-rules.yaml @@ -0,0 +1,22 @@ +%YAML 1.1 +--- + +# Default rules which helps + - /usr/share/suricata/rules/app-layer-events.rules + - /usr/share/suricata/rules/decoder-events.rules + - /usr/share/suricata/rules/dhcp-events.rules + - /usr/share/suricata/rules/dnp3-events.rules + - /usr/share/suricata/rules/dns-events.rules + - /usr/share/suricata/rules/files.rules + - /usr/share/suricata/rules/http2-events.rules + - /usr/share/suricata/rules/http-events.rules + - /usr/share/suricata/rules/ipsec-events.rules + - /usr/share/suricata/rules/kerberos-events.rules + - /usr/share/suricata/rules/modbus-events.rules + - /usr/share/suricata/rules/mqtt-events.rules + - /usr/share/suricata/rules/nfs-events.rules + - /usr/share/suricata/rules/ntp-events.rules + - /usr/share/suricata/rules/smb-events.rules + - /usr/share/suricata/rules/smtp-events.rules + - /usr/share/suricata/rules/stream-events.rules + - /usr/share/suricata/rules/tls-events.rules diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 49921db86..7b2557fce 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -46,28 +46,11 @@ vars: ## default-rule-path: /var/lib/suricata rule-files: - # Default rules - - /usr/share/suricata/rules/app-layer-events.rules - - /usr/share/suricata/rules/decoder-events.rules - - /usr/share/suricata/rules/dhcp-events.rules - - /usr/share/suricata/rules/dnp3-events.rules - - /usr/share/suricata/rules/dns-events.rules - - /usr/share/suricata/rules/files.rules - - /usr/share/suricata/rules/http2-events.rules - - /usr/share/suricata/rules/http-events.rules - - /usr/share/suricata/rules/ipsec-events.rules - - /usr/share/suricata/rules/kerberos-events.rules - - /usr/share/suricata/rules/modbus-events.rules - - /usr/share/suricata/rules/mqtt-events.rules - - /usr/share/suricata/rules/nfs-events.rules - - /usr/share/suricata/rules/ntp-events.rules - - /usr/share/suricata/rules/smb-events.rules - - /usr/share/suricata/rules/smtp-events.rules - - /usr/share/suricata/rules/stream-events.rules - - /usr/share/suricata/rules/tls-events.rules - # Include enabled ruleset files from external file - - !include: /var/ipfire/suricata/suricata-used-rulefiles.yaml + include: /var/ipfire/suricata/suricata-used-rulefiles.yaml + + # Include default rules. + include: /var/ipfire/suricata/suricata-default-rules.yaml classification-file: /var/lib/suricata/classification.config reference-config-file: /var/lib/suricata/reference.config diff --git a/lfs/suricata b/lfs/suricata index f5b68da8f..96c2b33fe 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -96,6 +96,9 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) # Install IPFire related config file. install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata + # Install yaml file for loading default rules. + install -m 0664 $(DIR_SRC)/config/suricata/suricata-default-rules.yaml /var/ipfire/suricata + # Create emtpy rules directory. -mkdir -p /var/lib/suricata From patchwork Wed Dec 8 17:10:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 4912 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4J8NwQ2spdz3wtb for ; Wed, 8 Dec 2021 17:10:46 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4J8NwM4wR2z4JN; Wed, 8 Dec 2021 17:10:43 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4J8NwM3vX2z30Gj; Wed, 8 Dec 2021 17:10:43 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4J8NwL5vSwz2ySt for ; Wed, 8 Dec 2021 17:10:42 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4J8NwL3f4sz2Md; Wed, 8 Dec 2021 17:10:42 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1638983442; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yxMM54yhZVAcPQe+SLMYKOo8MCVqFyQZMrnlz3WKhtE=; b=+82jhcWRzyZHkYTrYDqJEWjuc7fCg9i6ozGmru2gRnSWw71Ldx+089HkFkji7pNQp2kAau 5jgM1dNCR/d8iTDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1638983442; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=yxMM54yhZVAcPQe+SLMYKOo8MCVqFyQZMrnlz3WKhtE=; b=Dl0ygaZU/8Gde1OZdNhYV4SgHVvTFsMCKc4sc/n088Ko0ulrvcXh79sbsusDQETBa939AA fajjZQVxOGZl3mHQmLph/u6wZB5U0RrhTNJz4+O317zXcwBQB9MI838MzpvrytPiEAsqW4 r6fkR30cDsEZm/xDZxTlF6vwbVvBbAKBbA+XIPAyBkKBE6DiGXm92jW5Pc7/zsxJU8vQaY MgQDUgvVAc2HRedDqZ3mnCQ9MWEJSL7LhCm6pGWUPHU1+16ekUoUt8mdfGC5oHzUtJpH9h MRQut+2n9q5CT7BBS4JeyIjlU3B/87CAF/CNpA4oOebY84WBrhoK2CtJR6ZS8g== From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH 3/3] suricata: Cleanup default loaded rules file. Date: Wed, 8 Dec 2021 18:10:31 +0100 Message-Id: <20211208171031.308639-3-stefan.schantl@ipfire.org> In-Reply-To: <20211208171031.308639-1-stefan.schantl@ipfire.org> References: <20211208171031.308639-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" There are no such rules file available and therefore cannot be loaded. Signed-off-by: Stefan Schantl Reviewed-by: Michael Tremer Reviewed-by: Peter Müller --- config/suricata/suricata-default-rules.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/config/suricata/suricata-default-rules.yaml b/config/suricata/suricata-default-rules.yaml index d13aa622a..64493e462 100644 --- a/config/suricata/suricata-default-rules.yaml +++ b/config/suricata/suricata-default-rules.yaml @@ -8,12 +8,10 @@ - /usr/share/suricata/rules/dnp3-events.rules - /usr/share/suricata/rules/dns-events.rules - /usr/share/suricata/rules/files.rules - - /usr/share/suricata/rules/http2-events.rules - /usr/share/suricata/rules/http-events.rules - /usr/share/suricata/rules/ipsec-events.rules - /usr/share/suricata/rules/kerberos-events.rules - /usr/share/suricata/rules/modbus-events.rules - - /usr/share/suricata/rules/mqtt-events.rules - /usr/share/suricata/rules/nfs-events.rules - /usr/share/suricata/rules/ntp-events.rules - /usr/share/suricata/rules/smb-events.rules